Managers-Net

Risk Assessment

Risk Assessment I

An approach to process risk assessment

Why Risk Assessment ?

It is important that any organisation understands the impact that its business processes may have
on its operational risk and ability
to continue in business.
Consequently any organisation must design and develop a method of risk assessment which can be used
to identify and determine these risks.

The Risk Assessment Process

Identify the Process

This involves identifying and then documenting the process.
In some cases the process will already have been defined and documented which will usually be in
the form of a process flow chart.
However if new processes are being designed they may not be clearly defined.
In these cases additional time will have to be allowed for this phase of the work.
However it is a critical phase which cannot be omitted as risk assessment cannot be performed
properly until a process has been defined and described.

Identify Process Weaknesses

Once each process has been documented a trained and skilled individual, or group of individuals,
should review the process to identify any weaknesses in the process.
These weaknesses are the parts of the process that could lead to an operational risk event.
It must be noted that these weaknesses are not necessarily an indication of inefficiency,
they are specifically those which may give rise to an operational risk.

Examples of process weaknesses:

Operator error

this may be due to the fact that a particular activity is manual rather than automated
e.g. an employee might make a data input error or fail to comply with a
particular procedure or piece of legislation.

Employee actions

e.g. fraud, breach of policy rules and regulations.

Customer actions

e.g. fraud or other form of theft

Supplier actions

eg. provision of faulty or defective materials and/or information

Data loss and/or theft

where data is simply lost either mistakenly or deliberately. This could be either an internal or external loss.

Data corruption

when data is transferred from one system to another and becomes corrupted in the process or where
information is input incorrectly.

The above are only examples of weaknesses. Each organisation will have to take a view on weaknesses
which may be applicable to themselves.

Identify Process Risks

Once the weaknesses, or what are sometimes known as points of failure, have been identified
the operational risk events that
are associated with these points should be identified.
To help with this stage of the process it is advisable for the organisation to determine and
agree the categories of process risk.
Although there may be risks that are common to all sectors of the economy, it is likely that
many risks will be unique to each organisation.
Once agreed these risk categories should then be documented.

Each risk which is subsequently identified from the review of the process should then be recorded in an agreed format.

Evaluate the Risk

Some organisations may choose to score the risk.
This is an optional task, but if carried out helps to identify the potential severity of the risks
and thus the importance to the organisation.
If risk scoring is pursued it will be possible to determine and quantify the organisations risk exposure.
Both the probability of an event occurring and its potential impact should be assessed.
In this way an organisations exposure to risk can be accurately assessed.
Once all risks have been scored it will be possible to produce a list or table of all risks and their
potential threat to the organisation.
This can then be used to determine which risks will need to be addressed and the identifying actions
that can be introduced to reduce the threat they pose.
Clearly priority should be given to those risks posing the greatest threat.

This stage concludes the required identification and assessment of risk.
The next stage is to identify and design measures that can be implemented to mitigate against these risks.
This is described in Risk Assessment II.